Configuring Virtual Private Networks for Remote Clients and Networks

How to Configure VPN Address Assignment
When VPN clients connect to the VPN server, they must be assigned an IP address configuration
that enables them to access the resources on the internal network or other networks. ISA Server can be configured to assign the IP address configuration directly, or to use a Dynamic Host Configuration Protocol (DHCP) server to assign the addresses.

When you use DHCP, VPN clients are assigned IP addresses that are part of the internal network subnet. The advantage of this addressing scheme is that you do not need to create special routing table entries to support the VPN clients and all VPN clients will automatically be able to access the internal network and the Internet (using the protocols specified in the access rules). In this configuration, ISA Server acts as an Address Resolution Protocol (ARP) proxy for VPN clients. For example, when addresses assigned to the VPN Clients network are part of the internal network segment, computers from the internal network will send ARP queries to VPN clients. ISA Server will
intercept the queries and reply on behalf of the connected VPN client. The network traffic will then be transparently routed to the VPN client.

Assigning IP Addresses to VPN Clients
When VPN clients connect to ISA Server, the client must be assigned an IP address.
There are two ways that ISA Server can assign the addresses:
1- Dynamic address assignment To enable dynamic address assignment, a DHCP server must be accessible from the computer running ISA Server. Any computer running Windows Server 2003 or Windows 2000 Server on the internal network can serve as the DHCP server. If you use a DHCP server for address assignment, ISA Server retrieves a group of available IP addresses from the DHCP server. When a VPN client connects, ISA Server assigns one of these addresses to the VPN client. As
part of the IP address assignment, ISA Server also assigns other TCP/IP properties such as the Domain Name System (DNS) servers and Windows Internet Naming Service (WINS) servers. The IP address assigned to the client is automatically moved from the internal network to the VPN Clients network (or Quarantined VPN Clients network if quarantine is enabled and the client is quarantined).

2- Static address assignment You can also configure ISA Server with a static pool of addresses to assign to VPN clients. In this configuration, you do not need a DHCP server; rather, you configure the IP addresses on the computer running ISA Server. When a client connects, ISA Server assigns one of the IP addresses to the VPN client. If you use a static address pool for address assignment, the addresses that you want to assign to the pool must first be removed from other defined networks,
because overlapping of IP addresses between networks is not allowed. You must also provide one more IP address in the static address pool than the expected number of remote VPN connections because the VPN interface on ISA Server requires an IP address.

Configuring Dial-In Permissions in Active Directory
In addition to configuring ISA Server to enable VPN connections, you must also configure Active Directory user accounts to enable dial-in permissions for those accounts. Until this is configured, users will be unable to connect to ISA Server using a VPN. The default user account configuration in Active Directory varies depending on the domain being used to authenticate users.

1- In Windows 2000 mixed-mode domains, or in Windows Server 2003 domains at the Windows 2000 mixed-functional level, all user accounts have dial-in access disabled by default. You must enable dial-in access on a per-account basis for these Active Directory domains.

2- In Windows 2000 native-mode domains, or in Windows Server 2003 domains at the Windows 2000 native or Windows Server 2003 functional levels, all user accounts, by default, have dial-in access controlled by Remote Access Policy. You can control dial-in access by just modifying the remote-access policy.

3- Windows NT 4.0 domains always have dial-in access controlled on a per-user account basis.

MCP 70-350 : Installing ISA Server 2004

Dynamic Host Configuration Protocol Requirements :

DHCP is not required to support an ISA Server infrastructure, but it is highly recommended to simplify network management. Even on relatively small networks of 250 or fewer computers, you will benefit from reduced administrative effort by configuring a DHCP server on your network. The advantage of using DHCP is that it can provide the IP configuration for all the client computers on your network automatically. This can make your ISA Server deployment much more efficient. For example, if you need to reconfigure the default gateway for all your client computers to point to the new ISA Server computer or to a new DNS server for Internet name resolution, you can just change the scope setting on the DHCP server and all the clients will be reconfigured automatically.

DHCP is also used to support VPN remote access connections to ISA Server. By default, ISA Server will use DHCP to assign IP addresses to all VPN clients. When you enable remote VPN client access on ISA Server, it will obtain a set of IP addresses from the DHCP server and assign the IP address to the VPN clients. By default, ISA Server 2004 will also assign DNS or WINS server addresses based on the DHCP scope information.

MCP 70-350 : Installing ISA Server 2004

Network Infrastructure Requirements :

For your ISA Server implementation to succeed, you must ensure that the network infrastructure
supports the ISA Server implementation. To support your ISA Server infrastructure, the following networking services must be installed and configured on your network:
- DNS
- Domain controllers
- DHCP
These supporting services are critical to the proper functioning of your ISA Server network infrastructure.
Domain Name System Requirements
To connect to resources on the Internet, client computers must be able to resolve the DNS names for servers on the Internet to IP addresses. If you publish internal servers to the Internet, users on the Internet must be able to resolve the DNS names for the published servers to an IP address. To enable both of these scenarios, a DNS infrastructure must be in place to provide name-resolution services.

To enable access to Internet resources, ensure that all client computers can resolve Internet DNS names. At a high level, you have two options for enabling name resolution for Internet resources: You can use an internal DNS server that can resolve both internal and Internet DNS addresses, or you can use an external DNS server to resolve IP addresses on the Internet.

To Use an Internal DNS Server Many organizations have deployed DNS servers on their internal networks. If you have deployed Active Directory in Microsoft Windows 2000 Server or in Windows Server 2003, DNS is required for domain replication and user authentication, so all client computers running Windows 2000 or later must be able to resolve the DNS names for domain controllers. In this environment, the internal DNS server is configured with DNS zones for your Active Directory domains.

To allow internal users to access Internet resources, the internal DNS servers must also be configured to resolve Internet DNS names. One way to enable this is to configure the DNS servers to forward all requests for Internet name resolution to DNS servers on the Internet. When you configure a DNS server to use a forwarder, it sends to the forwarder requests for domains for which it is not authoritative.

To Use an External DNS Server Some organizations have not deployed internal DNS servers or have not configured the internal DNS servers to resolve Internet DNS addresses. In this situation, all Internet name resolution must be performed by DNS servers on the Internet. You have two options to enable this. If you use Web Proxy clients and Firewall clients, ISA Server can function as a DNS proxy server to resolve Internet DNS requests on the client’s behalf.

Domain Controller Requirements :
If you want to restrict access to Internet resources based on user accounts, or if you want to require authentication before users can access published servers, ISA Server must be able to access a directory of user accounts to determine whether the user should have access. ISA Server provides several options for authenticating the users, including Remote Authentication Dial-In User Service (RADIUS), RSA SecureID, or the local user account database on the computer running ISA Server. However, the easiest option to implement for most organizations is to use a domain directory service to authenticate the users. Most organizations already have a domain infrastructure that includes all the user accounts; in such cases, ISA Server can use this directory service to authenticate user
accounts.

You can use Windows 2000, Windows Server 2003, or Windows NT 4 domains to perform this service. To use the domain for authentication, the server running ISA Server must be a member of the domain. In addition, ISA Server must be able to communicate with the domain controllers on the internal network. If you use Active Directory in Windows Server 2003 or Windows 2000, you must configure the internal network interface on the ISA Server computer with the IP address of a DNS server that can resolve the IP addresses for the local domain controllers.

3 - Hardening Computers for Specific Roles :

Lesson 1: Tuning Security for Client Roles :

Planning Managed Client Computers :

When planning the requirements for managed client computers, start by identifying the baseline security level that is appropriate for users to have on their computers. The baseline user security level is specified by granting users membership to one of these groups: Users, Power Users, and Administrators. Membership in the Users group gives the most protection from a number of external threats, such as viruses, and it limits the damage that users can accidentally or intentionally cause to their computers. However, user level permissions have the most incompatibility problems with older applications. Take particular care before you give users privileged access to computers that they
share with other employees.
Next, identify the types of systems users need to interoperate with. Interoperability with earlier systems, such as Microsoft Windows NT 4.0–based servers and UNIX file servers, necessitates that some of the security you might use in a pure Windows Server 2003 environment must be relaxed.
Finally, consider the level of support users provide for their own computers. Users who use portable computers and provide their own support might require administrator rights on their computers. Other high-performance users, such as developers, might also need administrative rights.

Software Restriction Policies :

Software restriction policies are a feature in Windows XP and Windows Server 2003 that can be used to regulate unknown or untrusted software. Businesses that do not use software restriction policies put the burden of identifying safe and unsafe software on the users. Users who access the Internet must constantly make decisions about running unknown software. Malicious users intentionally disguise viruses and Trojans to trick users into running them. It is difficult for users to make safe choices about what software they should run.
With software restriction policies, you can protect your network from untrusted software by identifying and specifying the software that is allowed to run. You can define a default security level of Unrestricted or Disallowed for a Group Policy object (GPO) so that software is either allowed or not allowed to run by default. You can make exceptions to this default security level by creating software restriction policy rules for specific software. For example, if the default security level is set to Disallowed, you can create rules that allow specific software to run.

Security for Desktop Computers :

When a computer manufacturer delivers a new computer to an organization, the operating system is generally configured to provide the greatest flexibility to the typical user. Many organizations have additional software installed on top of the operating system, such as Microsoft Office. This provides power users with the tools they need to do their jobs.
However, many types of employees do not require much flexibility and will actually be more productive if the software on their computers is restricted. For example, a user in the accounts payable department might only need access to an e-mail client, accounting software, and a Web browser. For this type of user, restricting the applications they can run can make them more productive (for example, by removing Solitaire). Additionally, it can reduce the risk of malicious software, such as viruses and Trojans, infecting the computer.
In a typical restricted desktop computer role, the desktop and Start menu are significantly simplified. Users cannot make extensive customizations, other than a limited number of application-specific settings. Applications are typically allocated to users based on their job roles, and users cannot add or remove applications. This type of desktop configuration is appropriate in a marketing or finance department, for example.
In these areas, users require only a specific and limited set (typically three to five) of productivity and in-house applications to do their jobs.

Security for Mobile Computers :

Mobile computers require that you attend to several additional security considerations beyond those of desktop computers. Mobile users might use their computers while traveling, which might require them to perform administrative tasks that a member of the IT group would normally perform. For example, a mobile user might need to print a document using a different printer than the one installed in the office, and would need to install the correct printer driver. To allow this, disable the Devices: Prevent Users From Installing Printer Drivers security option. If you anticipate that users who work away from the office will need to install or reinstall applications while working remotely, you might want to enable the Always Install With Elevated Privileges setting in the Administrative Templates\Windows Components\Windows Installer node.
Mobile users might connect to foreign networks, such as a wireless hotspot at a coffee shop. These foreign networks won’t have the benefit of your organization’s network security, so mobile users have an elevated risk of being attacked across the network. To mitigate this risk, enable the Internet Connection Firewall (ICF, known in Service Pack 2 as Windows Firewall) on all network interfaces for mobile computers. Unfortunately, ICF cannot be configured by using Group Policy settings. Lesson 2 in this chapter contains more information about firewalls.

Lesson Summary

■ Software restriction policies can be applied to a GPO to restrict the applications that can run on a target system. Software restriction policies can restrict applications based on a hash of the executable file, the path in the file system, a certificate associated with the application, or the Internet zone from which the application is running.
■ You should create security templates for the various computer roles in your organizations, including desktop computers, mobile computers, and kiosks. Whenever possible, you should base these templates on a predefined security template.
■ Security templates are useful for creating GPOs, but they contain only a subset of the settings available when configuring a GPO. Therefore, after importing a security template into a GPO, you might have to use the Group Policy Object Editor to specify additional settings.
■ Mobile computers have different security considerations than desktop computers. Mobile computers are subject to a wider array of network attacks because they might connect to unprotected networks. Additionally, they are more likely to be stolen, so encryption of the disk’s physical contents might be necessary.
■ Kiosks require security settings that are tightly restricted to prevent abuse. GPOs allow an administrator to remove all major user interface elements and configure kiosk computers to log on a user and launch a single application automatically at startup.

Module 2 ( 70-291) : Allocation de l'adressage IP à l'aide du protocole DHCP

Définition :

Le protocole DHCP est une norme IP permettant de simplifier la gestion de la configuration IP hôte. La norme DHCP permet d'utiliser les serveurs DHCP pour gérer l'allocation dynamique des adresses IP et des autres données de configuration IP pour les clients DHCP de votre réseau.

Pourquoi utiliser le protocole DHCP ?

Pour les réseaux basés sur le protocole TCP/IP, le protocole DHCP simplifie et réduit le travail administratif impliqué dans la reconfiguration des ordinateurs.

Pour comprendre en quoi le protocole DHCP simplifie la configuration du protocole TCP/IP sur des ordinateurs clients, il est utile de comparer les configurations manuelle et automatique du protocole TCP/IP, la configuration automatique utilisant le protocole DHCP.

Configuration manuelle du protocole TCP/IP :

Lorsque vous configurez les données de configuration IP pour chaque hôte en entrant manuellement les informations, telles que l'adresse IP, le masque de sous-réseau ou la passerelle par défaut, vous pouvez faire des erreurs typographiques. Ces erreurs peuvent créer des problèmes de communication ou des incidents liés aux adresses IP dupliquées. De plus, il en résulte des tâches administratives supplémentaires sur les réseaux où les ordinateurs sont souvent déplacés d'un sous-réseau à l'autre. De même, lorsque vous devez modifier une valeur IP pour plusieurs clients, il vous faut mettre à jour la configuration IP de chaque client.

Procédure 1 :

Pour ajouter un service Serveur DHCP, procédez comme suit :

1. Connectez-vous à l'aide d'un compte d'utilisateur non-administratif.

2. Cliquez sur Démarrer, puis sur Panneau de configuration.

3. Dans le Panneau de configuration, ouvrez Outils d'administration, cliquez avec le bouton droit sur Gérer votre serveur, puis sélectionnez Exécuter en tant que.

4. Dans la boîte de dialogue Exécuter en tant que, sélectionnez L'utilisateur suivant, entrez un compte d'utilisateur et un mot de passe ayant les autorisations adéquates pour exécuter la tâche, puis cliquez sur OK.

5. Dans la fenêtre Gérer votre serveur, cliquez sur Ajouter ou supprimer un rôle.

6. Dans la page Étapes préliminaires, cliquez sur Suivant.

7. Dans l'Assistant Configurer votre serveur, sélectionnez Serveur DHCP, puis cliquez sur Suivant.

8. Dans la page Aperçu des sélections, cliquez sur Suivant.
9. Dans l'Assistant Nouvelle étendue, cliquez sur Annuler pour interrompre la création d'une étendue à ce stade.
10. Dans l'Assistant Configurer votre serveur, cliquez sur Terminer.

Procédure 2 : configuration des étendues DHCP :

Pour configurer une étendue DHCP, procédez comme suit :

1. Ouvrez la console DHCP.

2. Dans l'arborescence de la console, cliquez sur le serveur DHCP concerné.

3. Dans le menu Action, cliquez sur Nouvelle étendue.

4. Dans l'Assistant Nouvelle étendue, cliquez sur Suivant.

5. Dans la page Nom de l'étendue, configurez les options Nom et Description.

6. Dans la page Plage d'adresses IP, configurez les options Adresse IP de début, Adresse IP de fin et Masque de sous-réseau.

7. Dans la page Ajout d'exclusions, configurez les options Adresse IP de début et Adresse IP de fin, le cas échéant. S'il n'existe qu'une seule exclusion d'adresse IP, configurez cette adresse IP comme l'adresse IP de début.

8. Dans la page Durée du bail, configurez les options Jours, Heures et Minutes.

9. Dans la page Configuration des paramètres DHCP, sélectionnez Non, je configurerai ces options ultérieurement.

10. Dans la page Fin de l'Assistant Nouvelle étendue, cliquez sur Terminer.

Procédure de configuration d'une réservation DHCP :

Pour configurer une réservation DHCP, procédez comme suit :

1. Ouvrez la console DHCP.

2. Dans l'arborescence de la console, cliquez sur Réservations.

3. Dans le menu Action, cliquez sur Nouvelle réservation.

4. Dans la boîte de dialogue Nouvelle réservation, renseignez les champs suivants :

a. Nom de réservation

b. Adresse IP

c. Adresse MAC (sans trait d'union)

d. Description

5. Sous Types pris en charge, sélectionnez l'une des options suivantes :

a. Les deux

b. DHCP seulement

c. BOOTP seulement

6. Dans la boîte de dialogue Nouvelles réservations, cliquez sur Ajouter, puis sur Fermer.

Procédure 3 : vérification d'une réservation DHCP :

Pour vérifier la réservation DHCP, procédez comme suit :

1. Sur l'ordinateur client, à l'invite de commandes, libérez l'adresse IP du clienà l'aide de la commande ipconfig /release.

2. Sur l'ordinateur serveur, dans la console DHCP, sous Baux d'adresse, vérifiez que la réservation s'affiche comme étant désactivée.

3. Sur l'ordinateur client, à l'invite de commandes, renouvelez l'adresse IP du client à l'aide de la commande ipconfig /renew.

4. Sur l'ordinateur serveur, dans la console DHCP, sous Baux d'adresse, vérifiez que la réservation s'affiche comme étant activée.

Procédure 4 : configuration des options de serveur DHCP :

Pour configurer une option de serveur DHCP, procédez comme suit :

1. Ouvrez la console DHCP.

2. Dans l'arborescence de la console, sous le nom du serveur, cliquez sur Options de serveur.

3. Dans le menu Action, cliquez sur Configurer les options.

4. Dans la boîte de dialogue Options Serveur, sélectionnez l'option à configurer dans la liste des Options disponibles.

5. Sous Entrée de données, entrez les informations requises pour configurcette option.

6. Dans la boîte de dialogue Options Serveur, cliquez sur OK.

Comment fonctionne un agent de relais DHCP :

Les procédures suivantes décrivent le fonctionnement d'un agent de
relais DHCP :
1. Le client DHCP diffuse un paquet DHCPDISCOVER.
2. L'agent de relais DHCP sur le sous-réseau du client envoie le message DHCPDISCOVER au serveur DHCP à l'aide de la monodiffusion.
3. Le serveur DHCP utilise la monodiffusion pour envoyer un message DHCPOFFER à l'agent de relais DHCP.
4. L'agent de relais DHCP diffuse le paquet DHCPOFFER au sous-réseau du client DHCP.
5. Le client DHCP diffuse un paquet DHCPREQUEST.
6. L'agent de relais DHCP sur le sous-réseau du client envoie le message DHCPREQUEST au serveur DHCP à l'aide de la monodiffusion.
7. Le serveur DHCP utilise la monodiffusion pour envoyer un message DHCPACK à l'agent de relais DHCP.
8. L'agent de relais DHCP diffuse le paquet DHCPACK au sous-réseau du client DHCP.

Procédure 4 : ajout d'un agent de relais DHCP :

Pour ajouter un agent de relais DHCP, procédez comme suit :

1. Ouvrez la console Routage et accès distant.

2. Cliquez avec le bouton droit sur le serveur, puis cliquez sur Configurer et activer le routage et l'accès distant.

3. Dans la page Bienvenue !, cliquez sur Suivant.

4. Dans la page Configuration, sélectionnez Configuration personnalisée, puis cliquez sur Suivant.

5. Dans la page Configuration personnalisée, sélectionnez Routage réseau, puis cliquez sur Suivant.

6. Dans la page Fin de l'Assistant Installation du serveur du routage et d'accès distant, cliquez sur Terminer.

7. Dans la boîte de dialogue d'avertissement Routage et accès distant, cliquez sur Oui pour démarrer le service.

8. Dans la page Ce serveur est maintenant un serveur d'accès distant et de réseau VPN, cliquez sur Terminer.

9. Dans l'arborescence de la console, développez successivement le serveur et Routage IP, puis sélectionnez Général.

10. Cliquez avec le bouton droit sur Général, puis cliquez sur Nouveau protocole de routage.

11. Dans la boîte de dialogue Nouveau protocole de routage, cliquez sur Agent de relais DHCP, puis sur OK.